The Communications-Electronics Command Software Engineering Center and the U.S. Military Academy at West Point partnered to test the feasibility of the SEC-developed mapping between Zero Trust and the Department of Defense Risk Management Framework. This effort was the first practical exercise to gather feedback on the mapping’s application.
ZT is a cyber model that never assumes trust and RMF is the systematic structure that manages and authorizes risk in DoD systems.
By combining the existing validated RMF results with targeted ZT outcomes, the USMA Cybersecurity branch was able to make meaningful progress toward ZT while staying grounded in the compliance framework that governs their systems. The approach not only advanced their ZT posture but also provided a repeatable method for integrating evolving security concepts into established risk management practices.
The effort was spearheaded by the USMA Chief Information Security Officer, leveraging a mapping from ZT activities to RMF Control Correlation Identifiers developed by CECOM SEC in collaboration with the Defense Acquisition University.
The CECOM-developed mapping helped the Academy build cybersecurity configurations, thereby saving resources. The team recognized that RMF and ZT operate on different timelines. RMF is often assessed in static, point-in-time snapshots to achieve a baseline. ZT is different because it requires continuous risk optimization that adapts to user behavior, device posture, and evolving threats. By viewing CCI mapping results through the ZT lens, the USMA team could bridge this gap and better align security work with modern operational demands.
The mapping helped manage risk with a ZT mindset while improving how the team prioritized ZT work. One of the most valuable outcomes was the clarity the mapping brought to control status. A green or “complete” designation does not always mean a control is fully implemented for ZT. To address this, the team used a dual-lens approach, viewing each CCI result in both RMF and ZT contexts. This approach helped the team determine ZT maturity while leveraging existing RMF compliance status.
Using the mapping and scoring, ZT activities were ranked according to how critical their underlying controls are within the RMF. Building on SEC’s CCI to ZT mapping initiative, the team at the USMA was able to review and prioritize ZT activities by focusing on the relevant CCIs. This allowed the Academy to integrate ZT principles without starting from scratch while also providing a clear view of where existing compliance work directly supported ZT outcomes.
For any questions, please contact Ms. Farhat Shah, farhat.shah4.civ@army.mil.
Social Sharing